http://bugs.winehq.org/show_bug.cgi?id=28732
Bug #: 28732 Summary: use-after-free in MONTHCAL_UpdateSize Product: Wine Version: 1.3.30 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: comctl32 AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com Classification: Unclassified
While running "make monthcal.ok" in comctl32/tests, valgrind complains
Invalid read of size 4 at MONTHCAL_UpdateSize (monthcal.c:2556) by MONTHCAL_WindowProc (monthcal.c:2739) by ??? (in /oldhome/dank/wine-git/dlls/user32/user32.dll.so) by call_window_proc (winproc.c:242) by WINPROC_CallProcAtoW (winproc.c:404) by WINPROC_call_window (winproc.c:910) by call_window_proc (message.c:2211) by send_message (message.c:3084) by SendMessageA (message.c:3286) by WIN_CreateWindowEx (win.c:1448) by CreateWindowExA (win.c:1550) by create_monthcal_control (monthcal.c:577) by func_monthcal (monthcal.c:1524) Address 0x7f045618 is 8 bytes inside a block of size 112 free'd at RtlReAllocateHeap (heap.c:262) by HeapReAlloc (heap.c:277) by GlobalReAlloc (heap.c:651) by LocalReAlloc (heap.c:1075) by ReAlloc (comctl32undoc.c:99) by MONTHCAL_UpdateSize (monthcal.c:2541) by MONTHCAL_WindowProc (monthcal.c:2739) by ??? (in /oldhome/dank/wine-git/dlls/user32/user32.dll.so) by call_window_proc (winproc.c:242) by WINPROC_CallProcAtoW (winproc.c:404) by WINPROC_call_window (winproc.c:910) by call_window_proc (message.c:2211) by send_message (message.c:3084) by SendMessageA (message.c:3286) by WIN_CreateWindowEx (win.c:1448) by CreateWindowExA (win.c:1550) by create_monthcal_control (monthcal.c:577) by func_monthcal (monthcal.c:1524)
A quick look at the source makes me think that the pointer 'title' might need to be updated when the realloc is done.